Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2016

Lenovo ShareIT Users Urged to Patch Data Leak Flaws

Lenovo ShareIT Users Urged to Patch Data Leak Flaws

Lenovo users are being urged to patch their machines after researchers released details of several vulnerabilities in the firm’s ShareIT app which could allow hackers to view and steal victims’ documents.

Core Security published details on its findings on Monday after a private disclosure to the Chinese PC giant back in October last year.

ShareIT is a free app from Lenovo which is designed to let users share files between their smartphone, tablet and computer.

The first flaw discovered, CVE-2016-1491, affects Windows machines and means Wi-Fi hotspot access is set at an easy-to-guess password: “12345678.”

“Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same,” said Core Security in the advisory.

The second flaw, CVE-2016-1490, means that when a machine is logged onto a Wi-Fi hotspot with that hardcoded password, a victim’s files can be browsed but not downloaded by performing an HTTP Request to the web server launched by ShareIT.

Next up comes CVE-2016-1489, which means files are transferred via HTTP with no encryption on Windows machines and Android devices.

“An attacker that is able to sniff the network traffic could view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files,” warned Core Security.

Finally, the security firm pointed to CVE-2016-1492, which affects just Android users as follows:

“When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices.”

All four vulnerabilities could result in serious data security issues if not patched.

The affected versions of the file-sharing app are ShareIT for Android 3.0.18_ww and ShareIT for Windows and new versions are available here.

It’s not a great start to 2016 for Lenovo given its trials and tribulations in 2014-15 over the Superfish scandal.

Source: Information Security Magazine

UK Government Puts Money into Cybersecurity Accelerator

UK Government Puts Money into Cybersecurity Accelerator

The UK government has announced a new 'first-of-its-kind' program designed to nurture the nation’s cybersecurity start-ups.

The £250,000 Early Stage Accelerator Programme will help start-ups in the space get advice, support and funding to develop their products and services and bring them to market.

It will be run by Cyber London – described as “Europe's first cybersecurity accelerator and incubator space” – and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

The latter has a strong track record in the cybersecurity space, having last year been on the receiving end of a £5m government investment project designed to expand cybersecurity research and innovation capabilities at the university.

The Center also won the Queen’s Anniversary Prize for Higher and Further Education 2015, for its work in cybersecurity.

Poppy Wood, chief of staff at Cyber London, explained that although the first phase of the Early Stage Accelerator will take place in London, it will support talent from across the UK.

“After the program the participants can choose to relocate away from London, be that to Belfast or elsewhere, but we will continue to support them throughout the duration of the program with mentoring personalized support,” she told Infosecurity.

“The UK is uniquely positioned to support cybersecurity start-ups thanks to our unique heritage in technology and information security innovation, our world-class academic capabilities and the density of our commercial sector.”

The current government has been a keen supporter of the UK’s burgeoning cybersecurity industry, announcing in November that spending on building “sovereign capabilities in cyberspace” would increase to £1.9 billion over the coming five years.

The government claim UK cybersecurity is currently worth £17.6bn , having grown an impressive 70% since 2013 – employing around 100,000 people.

Culture, media and sport secretary, John Whittingdale, praised the UK’s strong digital economy at a cybersecurity summit in London yesterday.

“As technologies continue to evolve there will be an increased demand for secure products and services, and this new program will ensure the best ideas from our brightest minds can help keep the UK safe in cyberspace,” he said in a statement.

It is hoped the new program will increase the rate of start-up development, help identify new business ideas, improve collaboration and help to test and validate commercially new ideas.

According to Wood, we could start seeing results pretty soon.

“The program is designed to connect individuals with more advanced innovation support mechanisms such as accelerators and incubators,” she said. “We would like participants to graduate into such programs as soon as they are able.”


Source: Information Security Magazine

(ISC)² Announce New Board of Officers

(ISC)² Announce New Board of Officers

(ISC)² has announced its 2016 board of directors, with Wim Remes elected chairman of the board for the second time in three years.

Remes, also manager of strategic services for EMEA at Rapid 7, will head the 13-member board of global security professionals. Effective 23  January, Remes will be joined by Steven Hernandez as vice chairperson, Flemming Faber as treasurer and Jennifer Minella as secretary.

(ISC)² CEO David Shearer, praised outgoing chair Professor Corey Schou and highlighted his volunteer efforts to strengthen (ISC)² and for his ongoing commitment to advancing the profession.

“He led a momentous update to the organization’s bylaws last year, which required him to transition off the board on 31 December 2015,” he said. “I also thank Diana-Lynn Contesti and Dave Lewis, whose board terms ended in December, for their contributions.

“I echo Schou’s new people with fresh ideas approach that led to the board’s new term limits and welcome the 2016 board officers. I look forward to working with the new officers over the next year as they help us advance the vision of (ISC)² to inspire a safe and secure cyber world.”

Source: Information Security Magazine

Health Insurer Centene Loses Data on 950,000 Patients

Health Insurer Centene Loses Data on 950,000 Patients

US health insurer Centene says it has lost six hard drives containing highly sensitive personal and medical information on 950,000 patients.

The firm posted an official mea culpa on Monday, claiming it was involved in an “ongoing comprehensive internal search” for the half dozed drives, which are currently unaccounted for.

"Centene takes the privacy and security of our members' information seriously," said Centene president and CEO, Michael Neidorff, in a statement.

"While we don't believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives. The drives were a part of a data project using laboratory results to improve the health outcomes of our members."

The information said to have been stored on the hard drives includes name, address, date of birth, social security number, member ID number and – presumably pretty sensitive – medical data.

There’s apparently no financial information on the missing hard drives.

However, what is on there is certainly enough for scammers to use in convincing looking phishing campaigns. There’s even the risk with medical information that hackers could use it to blackmail victims.

Centene is offering the obligatory free post-incident credit and healthcare monitoring, and says it is currently “reinforcing and reviewing” its processes for managing IT assets.

There was no word on whether the data on the drives was encrypted or not, although it would be a strange detail to leave out if such security precautions had been taken.

The incident represents something of a departure for many high profile US-related data breaches, which usually involve the virtual lifting of information via remote hackers.

The biggest such incident in the UK, of course, came in 2007 when two password-protected CDs were lost in the post, affecting over 25 million individuals – more than two-fifths of the population at that point.

The incident prompted a government review and helped privacy watchdog the ICO successfully accrue new powers to fine organizations for breaches of the Data Protection Act.

Source: Information Security Magazine

Glasswall and ZeroDayLab Join Forces in New Security Partnership

Glasswall and ZeroDayLab Join Forces in New Security Partnership

Cybersecurity specialists Glasswall Solutions have announced a new partnership with ZeroDayLab as the two companies join forces to provide clients with total security management.

The move will see ZeroDayLab, whose client portfolio includes European firms across sectors such as banking, financial services, insurance, retail, and e-commerce, combine Glasswall’s unique approach to cybersecurity with their own holistic methods. 

Kevin Roberts, managing director at ZeroDayLab said: 

“In recent times we have seen threats to cybersecurity increase at an alarming rate, and many businesses have found themselves unprepared and vulnerable to attacks. Having initially been commissioned to conduct an independent penetration test of the Glasswall software and email platform, which it passed with flying colors, we immediately saw the potential benefits Glasswall would provide our customers. Our partnership with Glasswall will cover every angle to provide a uniquely holistic approach to managing risks, which makes this an exciting and beneficial relationship.

“Glasswall Solutions has developed a highly innovative answer to solve the single biggest cyber-threat facing organizations around the world, presented by the corruption of email-bound documents. This threat is currently responsible for 94% of successful attacks, but with Glasswall’s technology and ZeroDayLab’s 360° IT security plan, these attacks are stopped at source. This unique partnership will bring something really special to our clients to provide complete protection,” added Roberts.

With new EU regulations soon coming into effect companies will be required to prove their compliance and protection, or risk facing fines of up to 5% of global revenue. With this in mind, Glasswall and ZeroDayLab have clearly taken steps to strengthen their security services.

Infosecurity spoke to Bob Tarzey, Analyst and Director, Quocirca, about this new partnership and the benefits it will bring to both companies. 

He said:

“Glasswall is a small UK-based vendor with a niche product, it relies on partners to go to market, so a new partner is good for it. ZeroDayLab is a managed security service provider and needs to provide its customers with SLAs around the level of protection it provides and clearly sees the Glasswall technology as helping it to ensure these. 

Glasswall does something very specific, it rebuilds files from scratch to ensure there is no embedded malware – guaranteed good, this will add value to a range of other technologies of use besides them.”

Source: Information Security Magazine

Oversight Committee Demands Government ScreenOS Audit

Oversight Committee Demands Government ScreenOS Audit

An influential Congressional committee has written to all major US government departments and agencies requesting an audit of computer systems to appraise how many were affected by the major security issue in Juniper Networks firewalls revealed last month.

Juniper claimed in a statement in December to have found “unauthorized code” in ScreenOS firmware powering its firewalls, which could allow attackers to gain administrative access to affected devices and achieve VPN decryption.

All organizations with NetScreen devices using ScreenOS 6.2.0r15 to 6.2.0r18, and 6.3.0r12 to 6.3.0r20 required admins to apply the patch issued promptly by the network giant.

Now the Committee on Oversight and Government Reform wants to know who’s running what, and whether they’ve taken the recommended security steps or not.

Although the committee only sent out the letters late last week, it has given the relevant departments until just 4 February – two weeks – to respond.

The letters in question ask whether the recipient agency/department uses the affected ScreenOS versions; how it discovered the vulnerability and whether any action was taken prior to Juniper issuing a patch; which specific version of ScreenOS is being used; and when the software patch was deployed.

In total, 24 agencies and departments have been sent letters, including the Department of Defense, State Department, NASA, the Office of Personnel Management (OPM), the Treasury and the SEC.

The committee is right to be anxious about the federal government’s cybersecurity posture, given it has previously been found wanting in this area.

Security shortcomings at the OPM, for example, led to the breach of over 21 million records of current and former government employees and their families, including details about security clearance requests.

It’s believed that this information may have been stolen by state-sponsored actors from China keen to use the information for intelligence purposes – some have speculated potentially to identify individuals who could be recruited as double agents.

Source: Information Security Magazine

Ransomware Responsible for 42% of UK Security Breaches in 2015

Ransomware Responsible for 42% of UK Security Breaches in 2015

IT managers are being urged to make their organization a “seriously ugly target” in order to deter cyber-criminals, after new research revealed 42% of security breaches in the UK last year were down to ransomware.

IT security reseller Foursys polled 400 UK IT managers and found nearly two-thirds (62%) expected security to be a higher priority this coming year.

Of the 15% that reported a security breach in 2015, 42% claimed to have been hit with ransomware, 10% reported “significant disruption to systems” and 11% said they’d lost data as a result.

Foursys managing director, James Miller, told Infosecurity that most attackers are looking for soft targets.

"They want a way in that will be efficient and cost-effective. So we are talking things like unpatched vulnerabilities in your applications, poor passwords – or unsuspecting staff that'll hand over passwords – and insufficient or out-of-date security software,” he added.

“The more impenetrable your castle, the more likely these criminals will be deterred."

Keeping patches up to date, running the latest version of your security software, and pen testing to discover unknown vulnerabilities will help in this, the firm said.

It’s also important to ensure staff are made aware of the latest threats and their potential impact on the business.

"Online extortion – whether it be by ransomware encrypting victims' files and locking up computers, or demanding payment to stop blasting websites offline through denial-of-service attacks – is surging and only likely to get worse in the next six months,” claimed security consultant Graham Cluley.

“Unless companies take steps now to reduce the risks with a layered defence and recovery procedures they may find themselves struggling to cope."

The past 12 months were notable for the sheer volume of new ransomware doing the rounds.

Bitdefender claimed in a December report that over half (54%) of all malware targeting UK users in 2015 contained some form of ransomware.

It’s easy to see why, given that many users are panicked into paying up rather than wave goodbye to important documents.

The group behind the CryptoWall ransomware managed to extort more than $325 million from US victims alone.

New variants are coming out all the time. Heimdal Security, for example, discovered a spam campaign back in September spreading ransomware with a 0% detection rate when run through all of the 57 anti-malware tools listed in VirusTotal.

Source: Information Security Magazine

Scarlet Mimic Threat Group Takes Aim at Chinese Dissidents

Scarlet Mimic Threat Group Takes Aim at Chinese Dissidents

Security experts are warning of a new multi-year advanced cyber espionage campaign targeted against Uyghur and Tibetan activists as well as Russian and India anti-terrorist agencies.

The so-called “Scarlet Mimic” group has been operating since 2009, using spear phishing and watering hole attacks to infect users.

It has exploited five separate vulnerabilities in its spear phishing efforts, explained Palo Alto Networks in a lengthy post detailing the group.

“However, in many cases they chose to forgo exploiting a software vulnerability and used self-extracting (SFX) RAR archives that use the Right-to-Left Override character to mask the true file extension, tricking victims into opening executable files,” the vendor added.

It continued:

“As with many other attackers who use spear-phishing to infect victims, Scarlet Mimic makes heavy use of ‘decoy’ files. These are legitimate documents that contain content relevant to the subject of the spear phishing e-mail. After the system is infected, the malware displays the decoy document to trick the user into believing nothing harmful has occurred. These decoy documents allow us to identify the theme of the spear phishing e-mail and in some cases the target of the attack.”

Another major theme running through Scarlet Mimic attacks is the use of a Windows backdoor first discovered by Trend Micro in 2013 and dubbed ‘FakeM’, whose C&C traffic apes Windows Messenger and Yahoo Messenger traffic to bypass traditional filters.

Palo Alto discovered two new variants of the backdoor in its analysis and nine separate loader trojans used to avoid detection.

The group has also branched out into mobile malware with attacks on Android devices, as well as OS X machines.

Although the security vendor fell short of direct attribution to the Chinese government, it admitted that the main targets of the group – Uyghur and Tibetan activists – have “a history of strained relationships” with Beijing.

Some elements of the research, such as the discovery of FakeM, have been noted by security teams in the past but Palo Alto claimed to have brought together previously disparate strands to attribute to Scarlet Mimic.

Source: Information Security Magazine

Anonymous Carry-out DDoS Attack on Japanese Airport Website

Anonymous Carry-out DDoS Attack on Japanese Airport Website

The hacktivist group Anonymous have claimed responsibility for a DDoS attack which took down the website of Narita International Airport, near Tokyo.

IB Times reported that the website went offline for several hours on 22 and 23 January and although flights operated normally passengers were unable to access information on the site.

A Twitter account linked to Anonymous revealed the attack was carried out as part of a revenge protest following the detainment of Ric O’Barry, a leading animal rights activist, on 18 January. O’Barry was refused entry into Japan by immigration authorities after he was accused of planning to support a campaign against the slaughter of dolphins.

According to activists, each year 20,000 dolphins, small whales and porpoises are killed for their meat by Japanese fishermen. The Taiji dolphin drive hunt is an annual event that takes place in Taiji, Wakayama between September and March, with the animals caught for human consumption or for resale to dolphinariums. Despite providing significant income for local residents, the hunt has attracted international criticism amid concerns about the cruelty of the killings and the high levels of mercury found in dolphin meat.

This latest animal rights Anonymous attack is the second carried out on a Japanese organization in less than a week, with the hacktivists recently bringing down the websites of automotive manufacturer Nissan in an anti-whaling campaign.

Infosecurity spoke to Dave Larson, Chief Operating Officer at Corero Network Security, about the increasing prevalence of DDoS attacks and the affect they are having on organizations. He said:

“DDoS attacks have been increasingly present in the headlines, and I think the difference in the last six to 12 months is that organizations are more aware of what a DDoS attack is, and its impact. ‘Cyber-attack’ or ‘website hack’ were terms used when organizations weren’t quite sure what caused the outage. This uptick in reported or confirmed DDoS attacks really indicates not only the upsurge in attack activity, but the awareness organizations now have when it comes to this service availability and network security issue.”

He added:

“The motivations for DDoS attacks are so wide ranging that it is difficult to predict who will be the next victim. Our recommendation is that any internet connected business, or the internet providers themselves, must take a proactive approach to real-time DDoS mitigation. It’s not a matter of who gets hit next, it’s when.”

Source: Information Security Magazine

OpenSSL to Patch a High-Severity Flaw

OpenSSL to Patch a High-Severity Flaw

OpenSSL is planning to update two versions of its software this week, patching a pair of vulnerabilities.

The upgrade, to versions 1.0.2f and 1.0.1r, will fix two security defects when it hits on Thursday. One of those is a high-severity issue affecting 1.0.2 releases, and the other is low-severity affecting all releases.

OpenSSL didn’t give specific details about the issues, but its security policy notes that the “high severity” designation means that the vulnerability is dangerous, but not as dangerous as “critical” vulnerabilities, which are denoted as affecting common configurations, being easy to exploit and open to remote attack.

OpenSSL is a security standard encrypting communications between users and the servers provided by a majority of online services. Because it’s a basic component of a wide swath of the web, affecting various applications and systems, and even embedded devices, any security flaw is an important one to pay attention to. Its sheer ubiquity is one of the reasons why the Heartbleed flaw took months and months to patch even after an update was released.

After the infamous Heartbleed flaw in OpenSSL left a majority of the web open to wholesale information theft, the open-source group has been diligent in its coding reviews and patch updates.

The terse approach to explaining the issues at hand this week is typical—OpenSSL has patched a few of these types of mystery bugs in the last couple of years. It has also issued updates to address general SSL vulnerabilities like last year’s FREAK, which allowed hackers to perform a man in the middle (MITM) attack on traffic passing between Android or Apple devices and potentially millions of websites, by downgrading encryption to a crackable 512-bits.

OpenSSL recently reached end-of-life on versions 0.9.8 and 1.0.0, in December, while versions 1.0.1 and 1.0.2 will receive security support through the end of 2016 and 2019 respectively. Admins should of course update as soon as the patch is released.

Photo © Monster Graphics

Source: Information Security Magazine